@opensip-cli/checks-universal 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +202 -0
- package/NOTICE +8 -0
- package/README.md +31 -0
- package/dist/__tests__/all-checks-execute.test.d.ts +17 -0
- package/dist/__tests__/all-checks-execute.test.d.ts.map +1 -0
- package/dist/__tests__/all-checks-execute.test.js +452 -0
- package/dist/__tests__/all-checks-execute.test.js.map +1 -0
- package/dist/__tests__/behavior-fixtures-10.test.d.ts +8 -0
- package/dist/__tests__/behavior-fixtures-10.test.d.ts.map +1 -0
- package/dist/__tests__/behavior-fixtures-10.test.js +200 -0
- package/dist/__tests__/behavior-fixtures-10.test.js.map +1 -0
- package/dist/__tests__/behavior-fixtures-11.test.d.ts +8 -0
- package/dist/__tests__/behavior-fixtures-11.test.d.ts.map +1 -0
- package/dist/__tests__/behavior-fixtures-11.test.js +120 -0
- package/dist/__tests__/behavior-fixtures-11.test.js.map +1 -0
- package/dist/__tests__/behavior-fixtures-12.test.d.ts +8 -0
- package/dist/__tests__/behavior-fixtures-12.test.d.ts.map +1 -0
- package/dist/__tests__/behavior-fixtures-12.test.js +157 -0
- package/dist/__tests__/behavior-fixtures-12.test.js.map +1 -0
- package/dist/__tests__/behavior-fixtures-2.test.d.ts +8 -0
- package/dist/__tests__/behavior-fixtures-2.test.d.ts.map +1 -0
- package/dist/__tests__/behavior-fixtures-2.test.js +785 -0
- package/dist/__tests__/behavior-fixtures-2.test.js.map +1 -0
- package/dist/__tests__/behavior-fixtures-3.test.d.ts +6 -0
- package/dist/__tests__/behavior-fixtures-3.test.d.ts.map +1 -0
- package/dist/__tests__/behavior-fixtures-3.test.js +663 -0
- package/dist/__tests__/behavior-fixtures-3.test.js.map +1 -0
- package/dist/__tests__/behavior-fixtures-4.test.d.ts +5 -0
- package/dist/__tests__/behavior-fixtures-4.test.d.ts.map +1 -0
- package/dist/__tests__/behavior-fixtures-4.test.js +612 -0
- package/dist/__tests__/behavior-fixtures-4.test.js.map +1 -0
- package/dist/__tests__/behavior-fixtures-5.test.d.ts +5 -0
- package/dist/__tests__/behavior-fixtures-5.test.d.ts.map +1 -0
- package/dist/__tests__/behavior-fixtures-5.test.js +469 -0
- package/dist/__tests__/behavior-fixtures-5.test.js.map +1 -0
- package/dist/__tests__/behavior-fixtures-6.test.d.ts +8 -0
- package/dist/__tests__/behavior-fixtures-6.test.d.ts.map +1 -0
- package/dist/__tests__/behavior-fixtures-6.test.js +591 -0
- package/dist/__tests__/behavior-fixtures-6.test.js.map +1 -0
- package/dist/__tests__/behavior-fixtures-7.test.d.ts +5 -0
- package/dist/__tests__/behavior-fixtures-7.test.d.ts.map +1 -0
- package/dist/__tests__/behavior-fixtures-7.test.js +662 -0
- package/dist/__tests__/behavior-fixtures-7.test.js.map +1 -0
- package/dist/__tests__/behavior-fixtures-8.test.d.ts +11 -0
- package/dist/__tests__/behavior-fixtures-8.test.d.ts.map +1 -0
- package/dist/__tests__/behavior-fixtures-8.test.js +634 -0
- package/dist/__tests__/behavior-fixtures-8.test.js.map +1 -0
- package/dist/__tests__/behavior-fixtures-9.test.d.ts +11 -0
- package/dist/__tests__/behavior-fixtures-9.test.d.ts.map +1 -0
- package/dist/__tests__/behavior-fixtures-9.test.js +271 -0
- package/dist/__tests__/behavior-fixtures-9.test.js.map +1 -0
- package/dist/__tests__/behavior-fixtures.test.d.ts +14 -0
- package/dist/__tests__/behavior-fixtures.test.d.ts.map +1 -0
- package/dist/__tests__/behavior-fixtures.test.js +1423 -0
- package/dist/__tests__/behavior-fixtures.test.js.map +1 -0
- package/dist/__tests__/checks.test.d.ts +2 -0
- package/dist/__tests__/checks.test.d.ts.map +1 -0
- package/dist/__tests__/checks.test.js +61 -0
- package/dist/__tests__/checks.test.js.map +1 -0
- package/dist/__tests__/env-var-validation.test.d.ts +14 -0
- package/dist/__tests__/env-var-validation.test.d.ts.map +1 -0
- package/dist/__tests__/env-var-validation.test.js +53 -0
- package/dist/__tests__/env-var-validation.test.js.map +1 -0
- package/dist/__tests__/file-length-limit.test.d.ts +2 -0
- package/dist/__tests__/file-length-limit.test.d.ts.map +1 -0
- package/dist/__tests__/file-length-limit.test.js +29 -0
- package/dist/__tests__/file-length-limit.test.js.map +1 -0
- package/dist/__tests__/fixture-coverage.allowlist.d.ts +18 -0
- package/dist/__tests__/fixture-coverage.allowlist.d.ts.map +1 -0
- package/dist/__tests__/fixture-coverage.allowlist.js +35 -0
- package/dist/__tests__/fixture-coverage.allowlist.js.map +1 -0
- package/dist/__tests__/fixture-coverage.test.d.ts +13 -0
- package/dist/__tests__/fixture-coverage.test.d.ts.map +1 -0
- package/dist/__tests__/fixture-coverage.test.js +57 -0
- package/dist/__tests__/fixture-coverage.test.js.map +1 -0
- package/dist/__tests__/iic.test.d.ts +15 -0
- package/dist/__tests__/iic.test.d.ts.map +1 -0
- package/dist/__tests__/iic.test.js +316 -0
- package/dist/__tests__/iic.test.js.map +1 -0
- package/dist/__tests__/no-skipped-tests.test.d.ts +14 -0
- package/dist/__tests__/no-skipped-tests.test.d.ts.map +1 -0
- package/dist/__tests__/no-skipped-tests.test.js +144 -0
- package/dist/__tests__/no-skipped-tests.test.js.map +1 -0
- package/dist/__tests__/no-todo-comments.test.d.ts +2 -0
- package/dist/__tests__/no-todo-comments.test.d.ts.map +1 -0
- package/dist/__tests__/no-todo-comments.test.js +31 -0
- package/dist/__tests__/no-todo-comments.test.js.map +1 -0
- package/dist/__tests__/no-unimplemented-markers.test.d.ts +2 -0
- package/dist/__tests__/no-unimplemented-markers.test.d.ts.map +1 -0
- package/dist/__tests__/no-unimplemented-markers.test.js +140 -0
- package/dist/__tests__/no-unimplemented-markers.test.js.map +1 -0
- package/dist/__tests__/public-api-jsdoc-scope.test.d.ts +10 -0
- package/dist/__tests__/public-api-jsdoc-scope.test.d.ts.map +1 -0
- package/dist/__tests__/public-api-jsdoc-scope.test.js +176 -0
- package/dist/__tests__/public-api-jsdoc-scope.test.js.map +1 -0
- package/dist/__tests__/resilience-fp.test.d.ts +14 -0
- package/dist/__tests__/resilience-fp.test.d.ts.map +1 -0
- package/dist/__tests__/resilience-fp.test.js +110 -0
- package/dist/__tests__/resilience-fp.test.js.map +1 -0
- package/dist/checks/architecture/__tests__/no-kebab-option-indexing.test.d.ts +2 -0
- package/dist/checks/architecture/__tests__/no-kebab-option-indexing.test.d.ts.map +1 -0
- package/dist/checks/architecture/__tests__/no-kebab-option-indexing.test.js +32 -0
- package/dist/checks/architecture/__tests__/no-kebab-option-indexing.test.js.map +1 -0
- package/dist/checks/architecture/__tests__/tool-has-manifest.test.d.ts +2 -0
- package/dist/checks/architecture/__tests__/tool-has-manifest.test.d.ts.map +1 -0
- package/dist/checks/architecture/__tests__/tool-has-manifest.test.js +152 -0
- package/dist/checks/architecture/__tests__/tool-has-manifest.test.js.map +1 -0
- package/dist/checks/architecture/__tests__/vitest-config-required-with-tests.test.d.ts +2 -0
- package/dist/checks/architecture/__tests__/vitest-config-required-with-tests.test.d.ts.map +1 -0
- package/dist/checks/architecture/__tests__/vitest-config-required-with-tests.test.js +129 -0
- package/dist/checks/architecture/__tests__/vitest-config-required-with-tests.test.js.map +1 -0
- package/dist/checks/architecture/_yaml-doc-bindings.d.ts +23 -0
- package/dist/checks/architecture/_yaml-doc-bindings.d.ts.map +1 -0
- package/dist/checks/architecture/_yaml-doc-bindings.js +29 -0
- package/dist/checks/architecture/_yaml-doc-bindings.js.map +1 -0
- package/dist/checks/architecture/dependencies/index.d.ts +2 -0
- package/dist/checks/architecture/dependencies/index.d.ts.map +1 -0
- package/dist/checks/architecture/dependencies/index.js +2 -0
- package/dist/checks/architecture/dependencies/index.js.map +1 -0
- package/dist/checks/architecture/dependencies/no-duplicate-packages.d.ts +11 -0
- package/dist/checks/architecture/dependencies/no-duplicate-packages.d.ts.map +1 -0
- package/dist/checks/architecture/dependencies/no-duplicate-packages.js +171 -0
- package/dist/checks/architecture/dependencies/no-duplicate-packages.js.map +1 -0
- package/dist/checks/architecture/docker-best-practices.d.ts +23 -0
- package/dist/checks/architecture/docker-best-practices.d.ts.map +1 -0
- package/dist/checks/architecture/docker-best-practices.js +427 -0
- package/dist/checks/architecture/docker-best-practices.js.map +1 -0
- package/dist/checks/architecture/docker-ignore-validation.d.ts +18 -0
- package/dist/checks/architecture/docker-ignore-validation.d.ts.map +1 -0
- package/dist/checks/architecture/docker-ignore-validation.js +117 -0
- package/dist/checks/architecture/docker-ignore-validation.js.map +1 -0
- package/dist/checks/architecture/docker-version-sync.d.ts +16 -0
- package/dist/checks/architecture/docker-version-sync.d.ts.map +1 -0
- package/dist/checks/architecture/docker-version-sync.js +193 -0
- package/dist/checks/architecture/docker-version-sync.js.map +1 -0
- package/dist/checks/architecture/env-var-validation.d.ts +14 -0
- package/dist/checks/architecture/env-var-validation.d.ts.map +1 -0
- package/dist/checks/architecture/env-var-validation.js +289 -0
- package/dist/checks/architecture/env-var-validation.js.map +1 -0
- package/dist/checks/architecture/heavy-import-detection.d.ts +11 -0
- package/dist/checks/architecture/heavy-import-detection.d.ts.map +1 -0
- package/dist/checks/architecture/heavy-import-detection.js +91 -0
- package/dist/checks/architecture/heavy-import-detection.js.map +1 -0
- package/dist/checks/architecture/index.d.ts +16 -0
- package/dist/checks/architecture/index.d.ts.map +1 -0
- package/dist/checks/architecture/index.js +16 -0
- package/dist/checks/architecture/index.js.map +1 -0
- package/dist/checks/architecture/modules/empty-package-detection.d.ts +11 -0
- package/dist/checks/architecture/modules/empty-package-detection.d.ts.map +1 -0
- package/dist/checks/architecture/modules/empty-package-detection.js +277 -0
- package/dist/checks/architecture/modules/empty-package-detection.js.map +1 -0
- package/dist/checks/architecture/modules/index.d.ts +3 -0
- package/dist/checks/architecture/modules/index.d.ts.map +1 -0
- package/dist/checks/architecture/modules/index.js +3 -0
- package/dist/checks/architecture/modules/index.js.map +1 -0
- package/dist/checks/architecture/modules/interface-implementation-consistency.d.ts +12 -0
- package/dist/checks/architecture/modules/interface-implementation-consistency.d.ts.map +1 -0
- package/dist/checks/architecture/modules/interface-implementation-consistency.js +555 -0
- package/dist/checks/architecture/modules/interface-implementation-consistency.js.map +1 -0
- package/dist/checks/architecture/no-custom-event-emitter.d.ts +11 -0
- package/dist/checks/architecture/no-custom-event-emitter.d.ts.map +1 -0
- package/dist/checks/architecture/no-custom-event-emitter.js +123 -0
- package/dist/checks/architecture/no-custom-event-emitter.js.map +1 -0
- package/dist/checks/architecture/no-kebab-option-indexing.d.ts +33 -0
- package/dist/checks/architecture/no-kebab-option-indexing.d.ts.map +1 -0
- package/dist/checks/architecture/no-kebab-option-indexing.js +81 -0
- package/dist/checks/architecture/no-kebab-option-indexing.js.map +1 -0
- package/dist/checks/architecture/node-version-consistency.d.ts +22 -0
- package/dist/checks/architecture/node-version-consistency.d.ts.map +1 -0
- package/dist/checks/architecture/node-version-consistency.js +225 -0
- package/dist/checks/architecture/node-version-consistency.js.map +1 -0
- package/dist/checks/architecture/project-readme-existence.d.ts +13 -0
- package/dist/checks/architecture/project-readme-existence.d.ts.map +1 -0
- package/dist/checks/architecture/project-readme-existence.js +55 -0
- package/dist/checks/architecture/project-readme-existence.js.map +1 -0
- package/dist/checks/architecture/stale-build-artifacts.d.ts +10 -0
- package/dist/checks/architecture/stale-build-artifacts.d.ts.map +1 -0
- package/dist/checks/architecture/stale-build-artifacts.js +55 -0
- package/dist/checks/architecture/stale-build-artifacts.js.map +1 -0
- package/dist/checks/architecture/tool-has-manifest.d.ts +27 -0
- package/dist/checks/architecture/tool-has-manifest.d.ts.map +1 -0
- package/dist/checks/architecture/tool-has-manifest.js +135 -0
- package/dist/checks/architecture/tool-has-manifest.js.map +1 -0
- package/dist/checks/architecture/vitest-config-extends-base.d.ts +15 -0
- package/dist/checks/architecture/vitest-config-extends-base.d.ts.map +1 -0
- package/dist/checks/architecture/vitest-config-extends-base.js +104 -0
- package/dist/checks/architecture/vitest-config-extends-base.js.map +1 -0
- package/dist/checks/architecture/vitest-config-required-with-tests.d.ts +49 -0
- package/dist/checks/architecture/vitest-config-required-with-tests.d.ts.map +1 -0
- package/dist/checks/architecture/vitest-config-required-with-tests.js +199 -0
- package/dist/checks/architecture/vitest-config-required-with-tests.js.map +1 -0
- package/dist/checks/documentation/_directives/eslint.d.ts +9 -0
- package/dist/checks/documentation/_directives/eslint.d.ts.map +1 -0
- package/dist/checks/documentation/_directives/eslint.js +168 -0
- package/dist/checks/documentation/_directives/eslint.js.map +1 -0
- package/dist/checks/documentation/_directives/fitness.d.ts +9 -0
- package/dist/checks/documentation/_directives/fitness.d.ts.map +1 -0
- package/dist/checks/documentation/_directives/fitness.js +64 -0
- package/dist/checks/documentation/_directives/fitness.js.map +1 -0
- package/dist/checks/documentation/_directives/graph.d.ts +10 -0
- package/dist/checks/documentation/_directives/graph.d.ts.map +1 -0
- package/dist/checks/documentation/_directives/graph.js +65 -0
- package/dist/checks/documentation/_directives/graph.js.map +1 -0
- package/dist/checks/documentation/_directives/graph.test.d.ts +2 -0
- package/dist/checks/documentation/_directives/graph.test.d.ts.map +1 -0
- package/dist/checks/documentation/_directives/graph.test.js +54 -0
- package/dist/checks/documentation/_directives/graph.test.js.map +1 -0
- package/dist/checks/documentation/_directives/semgrep.d.ts +8 -0
- package/dist/checks/documentation/_directives/semgrep.d.ts.map +1 -0
- package/dist/checks/documentation/_directives/semgrep.js +72 -0
- package/dist/checks/documentation/_directives/semgrep.js.map +1 -0
- package/dist/checks/documentation/_directives/types.d.ts +21 -0
- package/dist/checks/documentation/_directives/types.d.ts.map +1 -0
- package/dist/checks/documentation/_directives/types.js +9 -0
- package/dist/checks/documentation/_directives/types.js.map +1 -0
- package/dist/checks/documentation/_directives/typescript.d.ts +10 -0
- package/dist/checks/documentation/_directives/typescript.d.ts.map +1 -0
- package/dist/checks/documentation/_directives/typescript.js +54 -0
- package/dist/checks/documentation/_directives/typescript.js.map +1 -0
- package/dist/checks/documentation/_public-api-graph.d.ts +30 -0
- package/dist/checks/documentation/_public-api-graph.d.ts.map +1 -0
- package/dist/checks/documentation/_public-api-graph.js +304 -0
- package/dist/checks/documentation/_public-api-graph.js.map +1 -0
- package/dist/checks/documentation/directive-audit.d.ts +26 -0
- package/dist/checks/documentation/directive-audit.d.ts.map +1 -0
- package/dist/checks/documentation/directive-audit.js +144 -0
- package/dist/checks/documentation/directive-audit.js.map +1 -0
- package/dist/checks/documentation/index.d.ts +3 -0
- package/dist/checks/documentation/index.d.ts.map +1 -0
- package/dist/checks/documentation/index.js +3 -0
- package/dist/checks/documentation/index.js.map +1 -0
- package/dist/checks/documentation/public-api-jsdoc.d.ts +10 -0
- package/dist/checks/documentation/public-api-jsdoc.d.ts.map +1 -0
- package/dist/checks/documentation/public-api-jsdoc.js +131 -0
- package/dist/checks/documentation/public-api-jsdoc.js.map +1 -0
- package/dist/checks/file-length-limit.d.ts +16 -0
- package/dist/checks/file-length-limit.d.ts.map +1 -0
- package/dist/checks/file-length-limit.js +47 -0
- package/dist/checks/file-length-limit.js.map +1 -0
- package/dist/checks/index.d.ts +16 -0
- package/dist/checks/index.d.ts.map +1 -0
- package/dist/checks/index.js +16 -0
- package/dist/checks/index.js.map +1 -0
- package/dist/checks/no-todo-comments.d.ts +18 -0
- package/dist/checks/no-todo-comments.d.ts.map +1 -0
- package/dist/checks/no-todo-comments.js +79 -0
- package/dist/checks/no-todo-comments.js.map +1 -0
- package/dist/checks/no-unimplemented-markers.d.ts +24 -0
- package/dist/checks/no-unimplemented-markers.d.ts.map +1 -0
- package/dist/checks/no-unimplemented-markers.js +198 -0
- package/dist/checks/no-unimplemented-markers.js.map +1 -0
- package/dist/checks/quality/api/graphql-offset-pagination.d.ts +9 -0
- package/dist/checks/quality/api/graphql-offset-pagination.d.ts.map +1 -0
- package/dist/checks/quality/api/graphql-offset-pagination.js +63 -0
- package/dist/checks/quality/api/graphql-offset-pagination.js.map +1 -0
- package/dist/checks/quality/api/index.d.ts +3 -0
- package/dist/checks/quality/api/index.d.ts.map +1 -0
- package/dist/checks/quality/api/index.js +3 -0
- package/dist/checks/quality/api/index.js.map +1 -0
- package/dist/checks/quality/api/zod-openapi-sync.d.ts +13 -0
- package/dist/checks/quality/api/zod-openapi-sync.d.ts.map +1 -0
- package/dist/checks/quality/api/zod-openapi-sync.js +88 -0
- package/dist/checks/quality/api/zod-openapi-sync.js.map +1 -0
- package/dist/checks/quality/code-structure/dead-code.d.ts +12 -0
- package/dist/checks/quality/code-structure/dead-code.d.ts.map +1 -0
- package/dist/checks/quality/code-structure/dead-code.js +238 -0
- package/dist/checks/quality/code-structure/dead-code.js.map +1 -0
- package/dist/checks/quality/code-structure/index.d.ts +5 -0
- package/dist/checks/quality/code-structure/index.d.ts.map +1 -0
- package/dist/checks/quality/code-structure/index.js +5 -0
- package/dist/checks/quality/code-structure/index.js.map +1 -0
- package/dist/checks/quality/code-structure/no-ai-attribution.d.ts +25 -0
- package/dist/checks/quality/code-structure/no-ai-attribution.d.ts.map +1 -0
- package/dist/checks/quality/code-structure/no-ai-attribution.js +76 -0
- package/dist/checks/quality/code-structure/no-ai-attribution.js.map +1 -0
- package/dist/checks/quality/code-structure/no-console-log.d.ts +17 -0
- package/dist/checks/quality/code-structure/no-console-log.d.ts.map +1 -0
- package/dist/checks/quality/code-structure/no-console-log.js +106 -0
- package/dist/checks/quality/code-structure/no-console-log.js.map +1 -0
- package/dist/checks/quality/code-structure/no-process-artifacts.d.ts +25 -0
- package/dist/checks/quality/code-structure/no-process-artifacts.d.ts.map +1 -0
- package/dist/checks/quality/code-structure/no-process-artifacts.js +104 -0
- package/dist/checks/quality/code-structure/no-process-artifacts.js.map +1 -0
- package/dist/checks/quality/dependency-version-consistency.d.ts +20 -0
- package/dist/checks/quality/dependency-version-consistency.d.ts.map +1 -0
- package/dist/checks/quality/dependency-version-consistency.js +266 -0
- package/dist/checks/quality/dependency-version-consistency.js.map +1 -0
- package/dist/checks/quality/fitness-ignore-hygiene.d.ts +10 -0
- package/dist/checks/quality/fitness-ignore-hygiene.d.ts.map +1 -0
- package/dist/checks/quality/fitness-ignore-hygiene.js +93 -0
- package/dist/checks/quality/fitness-ignore-hygiene.js.map +1 -0
- package/dist/checks/quality/frontend/expo-vector-icons.d.ts +13 -0
- package/dist/checks/quality/frontend/expo-vector-icons.d.ts.map +1 -0
- package/dist/checks/quality/frontend/expo-vector-icons.js +80 -0
- package/dist/checks/quality/frontend/expo-vector-icons.js.map +1 -0
- package/dist/checks/quality/frontend/image-optimization.d.ts +13 -0
- package/dist/checks/quality/frontend/image-optimization.d.ts.map +1 -0
- package/dist/checks/quality/frontend/image-optimization.js +166 -0
- package/dist/checks/quality/frontend/image-optimization.js.map +1 -0
- package/dist/checks/quality/frontend/index.d.ts +4 -0
- package/dist/checks/quality/frontend/index.d.ts.map +1 -0
- package/dist/checks/quality/frontend/index.js +4 -0
- package/dist/checks/quality/frontend/index.js.map +1 -0
- package/dist/checks/quality/frontend/navigation-typing.d.ts +12 -0
- package/dist/checks/quality/frontend/navigation-typing.d.ts.map +1 -0
- package/dist/checks/quality/frontend/navigation-typing.js +77 -0
- package/dist/checks/quality/frontend/navigation-typing.js.map +1 -0
- package/dist/checks/quality/graph-ignore-hygiene.d.ts +10 -0
- package/dist/checks/quality/graph-ignore-hygiene.d.ts.map +1 -0
- package/dist/checks/quality/graph-ignore-hygiene.js +95 -0
- package/dist/checks/quality/graph-ignore-hygiene.js.map +1 -0
- package/dist/checks/quality/graph-ignore-hygiene.test.d.ts +14 -0
- package/dist/checks/quality/graph-ignore-hygiene.test.d.ts.map +1 -0
- package/dist/checks/quality/graph-ignore-hygiene.test.js +58 -0
- package/dist/checks/quality/graph-ignore-hygiene.test.js.map +1 -0
- package/dist/checks/quality/index.d.ts +16 -0
- package/dist/checks/quality/index.d.ts.map +1 -0
- package/dist/checks/quality/index.js +16 -0
- package/dist/checks/quality/index.js.map +1 -0
- package/dist/checks/quality/linting/eslint-justifications.d.ts +12 -0
- package/dist/checks/quality/linting/eslint-justifications.d.ts.map +1 -0
- package/dist/checks/quality/linting/eslint-justifications.js +328 -0
- package/dist/checks/quality/linting/eslint-justifications.js.map +1 -0
- package/dist/checks/quality/linting/index.d.ts +4 -0
- package/dist/checks/quality/linting/index.d.ts.map +1 -0
- package/dist/checks/quality/linting/index.js +4 -0
- package/dist/checks/quality/linting/index.js.map +1 -0
- package/dist/checks/quality/linting/semgrep-justifications.d.ts +16 -0
- package/dist/checks/quality/linting/semgrep-justifications.d.ts.map +1 -0
- package/dist/checks/quality/linting/semgrep-justifications.js +229 -0
- package/dist/checks/quality/linting/semgrep-justifications.js.map +1 -0
- package/dist/checks/quality/linting/typescript-directive-hygiene.d.ts +12 -0
- package/dist/checks/quality/linting/typescript-directive-hygiene.d.ts.map +1 -0
- package/dist/checks/quality/linting/typescript-directive-hygiene.js +142 -0
- package/dist/checks/quality/linting/typescript-directive-hygiene.js.map +1 -0
- package/dist/checks/quality/no-compatibility-layer-names.d.ts +13 -0
- package/dist/checks/quality/no-compatibility-layer-names.d.ts.map +1 -0
- package/dist/checks/quality/no-compatibility-layer-names.js +100 -0
- package/dist/checks/quality/no-compatibility-layer-names.js.map +1 -0
- package/dist/checks/quality/no-deprecated-tags.d.ts +11 -0
- package/dist/checks/quality/no-deprecated-tags.d.ts.map +1 -0
- package/dist/checks/quality/no-deprecated-tags.js +76 -0
- package/dist/checks/quality/no-deprecated-tags.js.map +1 -0
- package/dist/checks/quality/no-markdown-references.d.ts +16 -0
- package/dist/checks/quality/no-markdown-references.d.ts.map +1 -0
- package/dist/checks/quality/no-markdown-references.js +145 -0
- package/dist/checks/quality/no-markdown-references.js.map +1 -0
- package/dist/checks/quality/no-raw-regex-on-code.d.ts +9 -0
- package/dist/checks/quality/no-raw-regex-on-code.d.ts.map +1 -0
- package/dist/checks/quality/no-raw-regex-on-code.js +61 -0
- package/dist/checks/quality/no-raw-regex-on-code.js.map +1 -0
- package/dist/checks/quality/no-temporary-workarounds.d.ts +11 -0
- package/dist/checks/quality/no-temporary-workarounds.d.ts.map +1 -0
- package/dist/checks/quality/no-temporary-workarounds.js +69 -0
- package/dist/checks/quality/no-temporary-workarounds.js.map +1 -0
- package/dist/checks/quality/no-window-alert.d.ts +19 -0
- package/dist/checks/quality/no-window-alert.d.ts.map +1 -0
- package/dist/checks/quality/no-window-alert.js +74 -0
- package/dist/checks/quality/no-window-alert.js.map +1 -0
- package/dist/checks/quality/observability/index.d.ts +2 -0
- package/dist/checks/quality/observability/index.d.ts.map +1 -0
- package/dist/checks/quality/observability/index.js +2 -0
- package/dist/checks/quality/observability/index.js.map +1 -0
- package/dist/checks/quality/observability/pino-serializer-coverage.d.ts +15 -0
- package/dist/checks/quality/observability/pino-serializer-coverage.d.ts.map +1 -0
- package/dist/checks/quality/observability/pino-serializer-coverage.js +209 -0
- package/dist/checks/quality/observability/pino-serializer-coverage.js.map +1 -0
- package/dist/checks/quality/patterns/async-state-pattern.d.ts +14 -0
- package/dist/checks/quality/patterns/async-state-pattern.d.ts.map +1 -0
- package/dist/checks/quality/patterns/async-state-pattern.js +80 -0
- package/dist/checks/quality/patterns/async-state-pattern.js.map +1 -0
- package/dist/checks/quality/patterns/index.d.ts +4 -0
- package/dist/checks/quality/patterns/index.d.ts.map +1 -0
- package/dist/checks/quality/patterns/index.js +4 -0
- package/dist/checks/quality/patterns/index.js.map +1 -0
- package/dist/checks/quality/patterns/no-non-null-assertions.d.ts +10 -0
- package/dist/checks/quality/patterns/no-non-null-assertions.d.ts.map +1 -0
- package/dist/checks/quality/patterns/no-non-null-assertions.js +97 -0
- package/dist/checks/quality/patterns/no-non-null-assertions.js.map +1 -0
- package/dist/checks/quality/patterns/performance-anti-patterns.d.ts +16 -0
- package/dist/checks/quality/patterns/performance-anti-patterns.d.ts.map +1 -0
- package/dist/checks/quality/patterns/performance-anti-patterns.js +239 -0
- package/dist/checks/quality/patterns/performance-anti-patterns.js.map +1 -0
- package/dist/checks/resilience/_helpers/config-validation.d.ts +27 -0
- package/dist/checks/resilience/_helpers/config-validation.d.ts.map +1 -0
- package/dist/checks/resilience/_helpers/config-validation.js +61 -0
- package/dist/checks/resilience/_helpers/config-validation.js.map +1 -0
- package/dist/checks/resilience/batch-operations.d.ts +22 -0
- package/dist/checks/resilience/batch-operations.d.ts.map +1 -0
- package/dist/checks/resilience/batch-operations.js +422 -0
- package/dist/checks/resilience/batch-operations.js.map +1 -0
- package/dist/checks/resilience/cache-ttl-validation.d.ts +13 -0
- package/dist/checks/resilience/cache-ttl-validation.d.ts.map +1 -0
- package/dist/checks/resilience/cache-ttl-validation.js +222 -0
- package/dist/checks/resilience/cache-ttl-validation.js.map +1 -0
- package/dist/checks/resilience/catch-clause-safety.d.ts +12 -0
- package/dist/checks/resilience/catch-clause-safety.d.ts.map +1 -0
- package/dist/checks/resilience/catch-clause-safety.js +110 -0
- package/dist/checks/resilience/catch-clause-safety.js.map +1 -0
- package/dist/checks/resilience/dangerous-config-defaults.d.ts +11 -0
- package/dist/checks/resilience/dangerous-config-defaults.d.ts.map +1 -0
- package/dist/checks/resilience/dangerous-config-defaults.js +304 -0
- package/dist/checks/resilience/dangerous-config-defaults.js.map +1 -0
- package/dist/checks/resilience/error-code-registration.d.ts +11 -0
- package/dist/checks/resilience/error-code-registration.d.ts.map +1 -0
- package/dist/checks/resilience/error-code-registration.js +88 -0
- package/dist/checks/resilience/error-code-registration.js.map +1 -0
- package/dist/checks/resilience/event-patterns.d.ts +21 -0
- package/dist/checks/resilience/event-patterns.d.ts.map +1 -0
- package/dist/checks/resilience/event-patterns.js +232 -0
- package/dist/checks/resilience/event-patterns.js.map +1 -0
- package/dist/checks/resilience/exit-code-correctness.d.ts +12 -0
- package/dist/checks/resilience/exit-code-correctness.d.ts.map +1 -0
- package/dist/checks/resilience/exit-code-correctness.js +107 -0
- package/dist/checks/resilience/exit-code-correctness.js.map +1 -0
- package/dist/checks/resilience/index.d.ts +18 -0
- package/dist/checks/resilience/index.d.ts.map +1 -0
- package/dist/checks/resilience/index.js +18 -0
- package/dist/checks/resilience/index.js.map +1 -0
- package/dist/checks/resilience/no-hardcoded-timeouts.d.ts +10 -0
- package/dist/checks/resilience/no-hardcoded-timeouts.d.ts.map +1 -0
- package/dist/checks/resilience/no-hardcoded-timeouts.js +291 -0
- package/dist/checks/resilience/no-hardcoded-timeouts.js.map +1 -0
- package/dist/checks/resilience/no-process-exit-in-finally.d.ts +11 -0
- package/dist/checks/resilience/no-process-exit-in-finally.d.ts.map +1 -0
- package/dist/checks/resilience/no-process-exit-in-finally.js +89 -0
- package/dist/checks/resilience/no-process-exit-in-finally.js.map +1 -0
- package/dist/checks/resilience/readline-cleanup.d.ts +11 -0
- package/dist/checks/resilience/readline-cleanup.d.ts.map +1 -0
- package/dist/checks/resilience/readline-cleanup.js +107 -0
- package/dist/checks/resilience/readline-cleanup.js.map +1 -0
- package/dist/checks/resilience/recovery-patterns.d.ts +25 -0
- package/dist/checks/resilience/recovery-patterns.d.ts.map +1 -0
- package/dist/checks/resilience/recovery-patterns.js +273 -0
- package/dist/checks/resilience/recovery-patterns.js.map +1 -0
- package/dist/checks/resilience/reentrancy-guard.d.ts +12 -0
- package/dist/checks/resilience/reentrancy-guard.d.ts.map +1 -0
- package/dist/checks/resilience/reentrancy-guard.js +86 -0
- package/dist/checks/resilience/reentrancy-guard.js.map +1 -0
- package/dist/checks/resilience/retry-config-validation.d.ts +13 -0
- package/dist/checks/resilience/retry-config-validation.d.ts.map +1 -0
- package/dist/checks/resilience/retry-config-validation.js +159 -0
- package/dist/checks/resilience/retry-config-validation.js.map +1 -0
- package/dist/checks/resilience/sentry/_helpers/sentry.d.ts +25 -0
- package/dist/checks/resilience/sentry/_helpers/sentry.d.ts.map +1 -0
- package/dist/checks/resilience/sentry/_helpers/sentry.js +68 -0
- package/dist/checks/resilience/sentry/_helpers/sentry.js.map +1 -0
- package/dist/checks/resilience/sentry/index.d.ts +8 -0
- package/dist/checks/resilience/sentry/index.d.ts.map +1 -0
- package/dist/checks/resilience/sentry/index.js +8 -0
- package/dist/checks/resilience/sentry/index.js.map +1 -0
- package/dist/checks/resilience/sentry/sentry-dsn-configured.d.ts +12 -0
- package/dist/checks/resilience/sentry/sentry-dsn-configured.d.ts.map +1 -0
- package/dist/checks/resilience/sentry/sentry-dsn-configured.js +55 -0
- package/dist/checks/resilience/sentry/sentry-dsn-configured.js.map +1 -0
- package/dist/checks/resilience/sentry/sentry-environment-set.d.ts +12 -0
- package/dist/checks/resilience/sentry/sentry-environment-set.d.ts.map +1 -0
- package/dist/checks/resilience/sentry/sentry-environment-set.js +51 -0
- package/dist/checks/resilience/sentry/sentry-environment-set.js.map +1 -0
- package/dist/checks/resilience/sentry/sentry-error-boundary.d.ts +12 -0
- package/dist/checks/resilience/sentry/sentry-error-boundary.d.ts.map +1 -0
- package/dist/checks/resilience/sentry/sentry-error-boundary.js +75 -0
- package/dist/checks/resilience/sentry/sentry-error-boundary.js.map +1 -0
- package/dist/checks/resilience/sentry/sentry-pii-scrubbing.d.ts +13 -0
- package/dist/checks/resilience/sentry/sentry-pii-scrubbing.d.ts.map +1 -0
- package/dist/checks/resilience/sentry/sentry-pii-scrubbing.js +125 -0
- package/dist/checks/resilience/sentry/sentry-pii-scrubbing.js.map +1 -0
- package/dist/checks/resilience/sentry/sentry-release-set.d.ts +12 -0
- package/dist/checks/resilience/sentry/sentry-release-set.d.ts.map +1 -0
- package/dist/checks/resilience/sentry/sentry-release-set.js +51 -0
- package/dist/checks/resilience/sentry/sentry-release-set.js.map +1 -0
- package/dist/checks/resilience/sentry/sentry-sample-rate.d.ts +12 -0
- package/dist/checks/resilience/sentry/sentry-sample-rate.d.ts.map +1 -0
- package/dist/checks/resilience/sentry/sentry-sample-rate.js +78 -0
- package/dist/checks/resilience/sentry/sentry-sample-rate.js.map +1 -0
- package/dist/checks/resilience/sentry/sentry-source-maps.d.ts +12 -0
- package/dist/checks/resilience/sentry/sentry-source-maps.d.ts.map +1 -0
- package/dist/checks/resilience/sentry/sentry-source-maps.js +83 -0
- package/dist/checks/resilience/sentry/sentry-source-maps.js.map +1 -0
- package/dist/checks/resilience/service-patterns.d.ts +18 -0
- package/dist/checks/resilience/service-patterns.d.ts.map +1 -0
- package/dist/checks/resilience/service-patterns.js +230 -0
- package/dist/checks/resilience/service-patterns.js.map +1 -0
- package/dist/checks/resilience/timer-lifecycle.d.ts +10 -0
- package/dist/checks/resilience/timer-lifecycle.d.ts.map +1 -0
- package/dist/checks/resilience/timer-lifecycle.js +78 -0
- package/dist/checks/resilience/timer-lifecycle.js.map +1 -0
- package/dist/checks/resilience/transaction-patterns.d.ts +21 -0
- package/dist/checks/resilience/transaction-patterns.d.ts.map +1 -0
- package/dist/checks/resilience/transaction-patterns.js +258 -0
- package/dist/checks/resilience/transaction-patterns.js.map +1 -0
- package/dist/checks/security/__tests__/no-hardcoded-secrets.test.d.ts +9 -0
- package/dist/checks/security/__tests__/no-hardcoded-secrets.test.d.ts.map +1 -0
- package/dist/checks/security/__tests__/no-hardcoded-secrets.test.js +37 -0
- package/dist/checks/security/__tests__/no-hardcoded-secrets.test.js.map +1 -0
- package/dist/checks/security/__tests__/package-supply-chain-policy.test.d.ts +2 -0
- package/dist/checks/security/__tests__/package-supply-chain-policy.test.d.ts.map +1 -0
- package/dist/checks/security/__tests__/package-supply-chain-policy.test.js +128 -0
- package/dist/checks/security/__tests__/package-supply-chain-policy.test.js.map +1 -0
- package/dist/checks/security/api-key-rotation.d.ts +10 -0
- package/dist/checks/security/api-key-rotation.d.ts.map +1 -0
- package/dist/checks/security/api-key-rotation.js +186 -0
- package/dist/checks/security/api-key-rotation.js.map +1 -0
- package/dist/checks/security/auth-middleware-coverage.d.ts +11 -0
- package/dist/checks/security/auth-middleware-coverage.d.ts.map +1 -0
- package/dist/checks/security/auth-middleware-coverage.js +210 -0
- package/dist/checks/security/auth-middleware-coverage.js.map +1 -0
- package/dist/checks/security/auth-route-guard.d.ts +12 -0
- package/dist/checks/security/auth-route-guard.d.ts.map +1 -0
- package/dist/checks/security/auth-route-guard.js +70 -0
- package/dist/checks/security/auth-route-guard.js.map +1 -0
- package/dist/checks/security/cors-configuration.d.ts +11 -0
- package/dist/checks/security/cors-configuration.d.ts.map +1 -0
- package/dist/checks/security/cors-configuration.js +126 -0
- package/dist/checks/security/cors-configuration.js.map +1 -0
- package/dist/checks/security/csp-headers.d.ts +11 -0
- package/dist/checks/security/csp-headers.d.ts.map +1 -0
- package/dist/checks/security/csp-headers.js +192 -0
- package/dist/checks/security/csp-headers.js.map +1 -0
- package/dist/checks/security/dependency-vulnerability-audit.d.ts +15 -0
- package/dist/checks/security/dependency-vulnerability-audit.d.ts.map +1 -0
- package/dist/checks/security/dependency-vulnerability-audit.js +184 -0
- package/dist/checks/security/dependency-vulnerability-audit.js.map +1 -0
- package/dist/checks/security/env-secret-exposure.d.ts +11 -0
- package/dist/checks/security/env-secret-exposure.d.ts.map +1 -0
- package/dist/checks/security/env-secret-exposure.js +127 -0
- package/dist/checks/security/env-secret-exposure.js.map +1 -0
- package/dist/checks/security/hasura-production-config.d.ts +11 -0
- package/dist/checks/security/hasura-production-config.d.ts.map +1 -0
- package/dist/checks/security/hasura-production-config.js +122 -0
- package/dist/checks/security/hasura-production-config.js.map +1 -0
- package/dist/checks/security/index.d.ts +17 -0
- package/dist/checks/security/index.d.ts.map +1 -0
- package/dist/checks/security/index.js +17 -0
- package/dist/checks/security/index.js.map +1 -0
- package/dist/checks/security/jwt-validation.d.ts +11 -0
- package/dist/checks/security/jwt-validation.d.ts.map +1 -0
- package/dist/checks/security/jwt-validation.js +294 -0
- package/dist/checks/security/jwt-validation.js.map +1 -0
- package/dist/checks/security/no-eval.d.ts +16 -0
- package/dist/checks/security/no-eval.d.ts.map +1 -0
- package/dist/checks/security/no-eval.js +83 -0
- package/dist/checks/security/no-eval.js.map +1 -0
- package/dist/checks/security/no-hardcoded-secrets.d.ts +28 -0
- package/dist/checks/security/no-hardcoded-secrets.d.ts.map +1 -0
- package/dist/checks/security/no-hardcoded-secrets.js +209 -0
- package/dist/checks/security/no-hardcoded-secrets.js.map +1 -0
- package/dist/checks/security/package-supply-chain-policy.d.ts +12 -0
- package/dist/checks/security/package-supply-chain-policy.d.ts.map +1 -0
- package/dist/checks/security/package-supply-chain-policy.js +534 -0
- package/dist/checks/security/package-supply-chain-policy.js.map +1 -0
- package/dist/checks/security/rate-limit-coverage.d.ts +10 -0
- package/dist/checks/security/rate-limit-coverage.d.ts.map +1 -0
- package/dist/checks/security/rate-limit-coverage.js +143 -0
- package/dist/checks/security/rate-limit-coverage.js.map +1 -0
- package/dist/checks/security/semgrep-scan.d.ts +13 -0
- package/dist/checks/security/semgrep-scan.d.ts.map +1 -0
- package/dist/checks/security/semgrep-scan.js +86 -0
- package/dist/checks/security/semgrep-scan.js.map +1 -0
- package/dist/checks/security/use-centralized-crypto.d.ts +11 -0
- package/dist/checks/security/use-centralized-crypto.d.ts.map +1 -0
- package/dist/checks/security/use-centralized-crypto.js +129 -0
- package/dist/checks/security/use-centralized-crypto.js.map +1 -0
- package/dist/checks/security/webhook-signature-verification.d.ts +10 -0
- package/dist/checks/security/webhook-signature-verification.d.ts.map +1 -0
- package/dist/checks/security/webhook-signature-verification.js +183 -0
- package/dist/checks/security/webhook-signature-verification.js.map +1 -0
- package/dist/checks/testing/index.d.ts +6 -0
- package/dist/checks/testing/index.d.ts.map +1 -0
- package/dist/checks/testing/index.js +6 -0
- package/dist/checks/testing/index.js.map +1 -0
- package/dist/checks/testing/no-skipped-tests.d.ts +40 -0
- package/dist/checks/testing/no-skipped-tests.d.ts.map +1 -0
- package/dist/checks/testing/no-skipped-tests.js +174 -0
- package/dist/checks/testing/no-skipped-tests.js.map +1 -0
- package/dist/checks/testing/no-stub-tests.d.ts +11 -0
- package/dist/checks/testing/no-stub-tests.d.ts.map +1 -0
- package/dist/checks/testing/no-stub-tests.js +103 -0
- package/dist/checks/testing/no-stub-tests.js.map +1 -0
- package/dist/checks/testing/test-convention-consistency.d.ts +14 -0
- package/dist/checks/testing/test-convention-consistency.d.ts.map +1 -0
- package/dist/checks/testing/test-convention-consistency.js +93 -0
- package/dist/checks/testing/test-convention-consistency.js.map +1 -0
- package/dist/checks/testing/test-file-naming.d.ts +13 -0
- package/dist/checks/testing/test-file-naming.d.ts.map +1 -0
- package/dist/checks/testing/test-file-naming.js +218 -0
- package/dist/checks/testing/test-file-naming.js.map +1 -0
- package/dist/checks/testing/test-file-pairing.d.ts +13 -0
- package/dist/checks/testing/test-file-pairing.d.ts.map +1 -0
- package/dist/checks/testing/test-file-pairing.js +274 -0
- package/dist/checks/testing/test-file-pairing.js.map +1 -0
- package/dist/display/architecture.d.ts +9 -0
- package/dist/display/architecture.d.ts.map +1 -0
- package/dist/display/architecture.js +29 -0
- package/dist/display/architecture.js.map +1 -0
- package/dist/display/index.d.ts +20 -0
- package/dist/display/index.d.ts.map +1 -0
- package/dist/display/index.js +30 -0
- package/dist/display/index.js.map +1 -0
- package/dist/display/quality.d.ts +7 -0
- package/dist/display/quality.d.ts.map +1 -0
- package/dist/display/quality.js +34 -0
- package/dist/display/quality.js.map +1 -0
- package/dist/display/resilience.d.ts +7 -0
- package/dist/display/resilience.d.ts.map +1 -0
- package/dist/display/resilience.js +36 -0
- package/dist/display/resilience.js.map +1 -0
- package/dist/display/security-testing.d.ts +9 -0
- package/dist/display/security-testing.d.ts.map +1 -0
- package/dist/display/security-testing.js +31 -0
- package/dist/display/security-testing.js.map +1 -0
- package/dist/display/types.d.ts +6 -0
- package/dist/display/types.d.ts.map +1 -0
- package/dist/display/types.js +6 -0
- package/dist/display/types.js.map +1 -0
- package/dist/index.d.ts +19 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +21 -0
- package/dist/index.js.map +1 -0
- package/package.json +52 -0
|
@@ -0,0 +1,126 @@
|
|
|
1
|
+
// @fitness-ignore-file cors-configuration -- Fitness check definition; regex patterns reference CORS tokens for detection purposes, not actual CORS configuration
|
|
2
|
+
/**
|
|
3
|
+
* @fileoverview Validate CORS configuration follows security best practices
|
|
4
|
+
*/
|
|
5
|
+
import { logger } from '@opensip-cli/core';
|
|
6
|
+
import { defineCheck } from '@opensip-cli/fitness';
|
|
7
|
+
/**
|
|
8
|
+
* Pre-compiled CORS security patterns for static code analysis.
|
|
9
|
+
* These patterns are intentional and safe - they are used to detect CORS misconfigurations
|
|
10
|
+
* in source code, not to parse untrusted user input. The patterns have bounded quantifiers
|
|
11
|
+
* and do not have catastrophic backtracking issues.
|
|
12
|
+
*/
|
|
13
|
+
// Wildcard origin: origin: "*" or origin = "*"
|
|
14
|
+
const WILDCARD_ORIGIN_PATTERN = /origin\s{0,10}[:=]\s{0,10}(['"])\*\1/g;
|
|
15
|
+
// Wildcard origin with credentials (simplified to avoid backtracking)
|
|
16
|
+
const WILDCARD_WITH_CREDS_PATTERN = /origin\s{0,10}[:=]\s{0,10}(['"])\*\1[^}]{0,200}credentials\s{0,10}[:=]\s{0,10}true/gi;
|
|
17
|
+
// Reflecting origin without validation
|
|
18
|
+
const REFLECTING_ORIGIN_PATTERN = /origin\s{0,10}[:=]\s{0,10}(?:request|req)\.headers?\.origin/gi;
|
|
19
|
+
// All origins allowed
|
|
20
|
+
const ORIGIN_TRUE_PATTERN = /origin\s{0,10}[:=]\s{0,10}true/g;
|
|
21
|
+
// Missing credentials in CORS call (simplified)
|
|
22
|
+
const MISSING_CREDS_PATTERN = /cors\s{0,10}\([^)]{0,500}\)(?![^}]{0,200}credentials)/gi;
|
|
23
|
+
// Patterns that indicate CORS security issues
|
|
24
|
+
const CORS_SECURITY_PATTERNS = [
|
|
25
|
+
// Wildcard origin
|
|
26
|
+
{
|
|
27
|
+
regex: WILDCARD_ORIGIN_PATTERN,
|
|
28
|
+
message: 'CORS allows wildcard origin - specify allowed origins explicitly',
|
|
29
|
+
suggestion: 'Replace "*" with an array of allowed origins: origin: ["https://app.example.com", "https://admin.example.com"]. Use environment variables for different environments.',
|
|
30
|
+
severity: 'error',
|
|
31
|
+
},
|
|
32
|
+
// Wildcard origin with credentials
|
|
33
|
+
{
|
|
34
|
+
regex: WILDCARD_WITH_CREDS_PATTERN,
|
|
35
|
+
message: 'CORS wildcard origin with credentials is dangerous - browsers block this combination',
|
|
36
|
+
suggestion: 'When using credentials: true, you must specify explicit origins. Browsers block wildcard origin with credentials for security.',
|
|
37
|
+
severity: 'error',
|
|
38
|
+
},
|
|
39
|
+
// Reflecting origin without validation
|
|
40
|
+
{
|
|
41
|
+
regex: REFLECTING_ORIGIN_PATTERN,
|
|
42
|
+
message: 'CORS reflecting request origin without validation - validate against allowlist',
|
|
43
|
+
suggestion: 'Validate the origin against an allowlist before reflecting: const allowedOrigins = new Set([...]); origin: (origin, cb) => cb(null, allowedOrigins.has(origin))',
|
|
44
|
+
severity: 'error',
|
|
45
|
+
},
|
|
46
|
+
// All origins allowed in array
|
|
47
|
+
{
|
|
48
|
+
regex: ORIGIN_TRUE_PATTERN,
|
|
49
|
+
message: 'CORS origin: true reflects any origin - specify allowed origins',
|
|
50
|
+
suggestion: 'Replace origin: true with an explicit list of allowed origins or a validation function.',
|
|
51
|
+
severity: 'warning',
|
|
52
|
+
},
|
|
53
|
+
// Missing credentials in potentially authenticated context
|
|
54
|
+
{
|
|
55
|
+
regex: MISSING_CREDS_PATTERN,
|
|
56
|
+
message: 'CORS configuration may be missing credentials setting',
|
|
57
|
+
suggestion: 'If this API uses cookies or Authorization headers, add credentials: true to allow credentialed requests.',
|
|
58
|
+
severity: 'warning',
|
|
59
|
+
},
|
|
60
|
+
];
|
|
61
|
+
/**
|
|
62
|
+
* Check: security/cors-configuration
|
|
63
|
+
*
|
|
64
|
+
* Validates CORS configuration is properly restrictive.
|
|
65
|
+
* Prevents overly permissive cross-origin access.
|
|
66
|
+
*/
|
|
67
|
+
export const corsConfiguration = defineCheck({
|
|
68
|
+
id: '0ea65e8a-4ee3-43b5-9d7f-dc39fe6fafeb',
|
|
69
|
+
slug: 'cors-configuration',
|
|
70
|
+
disabled: true,
|
|
71
|
+
scope: { languages: ['typescript'], concerns: ['backend', 'server'] },
|
|
72
|
+
contentFilter: 'raw',
|
|
73
|
+
confidence: 'medium',
|
|
74
|
+
description: 'Validate CORS configuration follows security best practices',
|
|
75
|
+
longDescription: `**Purpose:** Validates that CORS configuration is properly restrictive and does not allow overly permissive cross-origin access.
|
|
76
|
+
|
|
77
|
+
**Detects:**
|
|
78
|
+
- Wildcard origin: \`origin: "*"\` or \`origin = "*"\`
|
|
79
|
+
- Wildcard origin combined with \`credentials: true\` (browser-rejected but indicates misconfiguration)
|
|
80
|
+
- Reflecting request origin without validation: \`origin: request.headers.origin\`
|
|
81
|
+
- Blanket allow: \`origin: true\`
|
|
82
|
+
- CORS calls potentially missing \`credentials\` setting
|
|
83
|
+
|
|
84
|
+
**Why it matters:** Overly permissive CORS allows malicious websites to make authenticated requests to your API, enabling CSRF and data theft.
|
|
85
|
+
|
|
86
|
+
**Scope:** General best practice. Analyzes each file individually. Only scans files containing "cors".`,
|
|
87
|
+
tags: ['security', 'cors', 'configuration'],
|
|
88
|
+
fileTypes: ['ts'],
|
|
89
|
+
analyze(content, filePath) {
|
|
90
|
+
logger.debug({
|
|
91
|
+
evt: 'fitness.checks.cors_configuration.analyze',
|
|
92
|
+
msg: 'Analyzing file for CORS configuration issues',
|
|
93
|
+
});
|
|
94
|
+
// Only scan files that might contain CORS config
|
|
95
|
+
if (!/cors/i.test(content)) {
|
|
96
|
+
return [];
|
|
97
|
+
}
|
|
98
|
+
const violations = [];
|
|
99
|
+
const lines = content.split('\n');
|
|
100
|
+
for (const [lineNum, line_] of lines.entries()) {
|
|
101
|
+
const line = line_ ?? '';
|
|
102
|
+
// Skip comments
|
|
103
|
+
if (line.trim().startsWith('//') || line.trim().startsWith('*')) {
|
|
104
|
+
continue;
|
|
105
|
+
}
|
|
106
|
+
for (const pattern of CORS_SECURITY_PATTERNS) {
|
|
107
|
+
// Reset regex state
|
|
108
|
+
pattern.regex.lastIndex = 0;
|
|
109
|
+
const match = pattern.regex.exec(line);
|
|
110
|
+
if (match) {
|
|
111
|
+
violations.push({
|
|
112
|
+
line: lineNum + 1,
|
|
113
|
+
column: match.index,
|
|
114
|
+
message: pattern.message,
|
|
115
|
+
severity: pattern.severity,
|
|
116
|
+
suggestion: pattern.suggestion,
|
|
117
|
+
match: match[0],
|
|
118
|
+
filePath,
|
|
119
|
+
});
|
|
120
|
+
}
|
|
121
|
+
}
|
|
122
|
+
}
|
|
123
|
+
return violations;
|
|
124
|
+
},
|
|
125
|
+
});
|
|
126
|
+
//# sourceMappingURL=cors-configuration.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cors-configuration.js","sourceRoot":"","sources":["../../../src/checks/security/cors-configuration.ts"],"names":[],"mappings":"AAAA,kKAAkK;AAClK;;GAEG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAC3C,OAAO,EAAE,WAAW,EAAuB,MAAM,sBAAsB,CAAC;AAExE;;;;;GAKG;AACH,+CAA+C;AAC/C,MAAM,uBAAuB,GAAG,uCAAuC,CAAC;AACxE,sEAAsE;AACtE,MAAM,2BAA2B,GAC/B,sFAAsF,CAAC;AACzF,uCAAuC;AACvC,MAAM,yBAAyB,GAAG,+DAA+D,CAAC;AAClG,sBAAsB;AACtB,MAAM,mBAAmB,GAAG,iCAAiC,CAAC;AAC9D,gDAAgD;AAChD,MAAM,qBAAqB,GAAG,yDAAyD,CAAC;AAExF,8CAA8C;AAC9C,MAAM,sBAAsB,GAAG;IAC7B,kBAAkB;IAClB;QACE,KAAK,EAAE,uBAAuB;QAC9B,OAAO,EAAE,kEAAkE;QAC3E,UAAU,EACR,uKAAuK;QACzK,QAAQ,EAAE,OAAgB;KAC3B;IACD,mCAAmC;IACnC;QACE,KAAK,EAAE,2BAA2B;QAClC,OAAO,EAAE,sFAAsF;QAC/F,UAAU,EACR,gIAAgI;QAClI,QAAQ,EAAE,OAAgB;KAC3B;IACD,uCAAuC;IACvC;QACE,KAAK,EAAE,yBAAyB;QAChC,OAAO,EAAE,gFAAgF;QACzF,UAAU,EACR,iKAAiK;QACnK,QAAQ,EAAE,OAAgB;KAC3B;IACD,+BAA+B;IAC/B;QACE,KAAK,EAAE,mBAAmB;QAC1B,OAAO,EAAE,iEAAiE;QAC1E,UAAU,EACR,yFAAyF;QAC3F,QAAQ,EAAE,SAAkB;KAC7B;IACD,2DAA2D;IAC3D;QACE,KAAK,EAAE,qBAAqB;QAC5B,OAAO,EAAE,uDAAuD;QAChE,UAAU,EACR,0GAA0G;QAC5G,QAAQ,EAAE,SAAkB;KAC7B;CACF,CAAC;AAEF;;;;;GAKG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,WAAW,CAAC;IAC3C,EAAE,EAAE,sCAAsC;IAC1C,IAAI,EAAE,oBAAoB;IAC1B,QAAQ,EAAE,IAAI;IACd,KAAK,EAAE,EAAE,SAAS,EAAE,CAAC,YAAY,CAAC,EAAE,QAAQ,EAAE,CAAC,SAAS,EAAE,QAAQ,CAAC,EAAE;IACrE,aAAa,EAAE,KAAK;IAEpB,UAAU,EAAE,QAAQ;IACpB,WAAW,EAAE,6DAA6D;IAC1E,eAAe,EAAE;;;;;;;;;;;uGAWoF;IACrG,IAAI,EAAE,CAAC,UAAU,EAAE,MAAM,EAAE,eAAe,CAAC;IAC3C,SAAS,EAAE,CAAC,IAAI,CAAC;IAEjB,OAAO,CAAC,OAAe,EAAE,QAAgB;QACvC,MAAM,CAAC,KAAK,CAAC;YACX,GAAG,EAAE,2CAA2C;YAChD,GAAG,EAAE,8CAA8C;SACpD,CAAC,CAAC;QACH,iDAAiD;QACjD,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,UAAU,GAAqB,EAAE,CAAC;QACxC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAElC,KAAK,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,KAAK,CAAC,OAAO,EAAE,EAAE,CAAC;YAC/C,MAAM,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;YAEzB,gBAAgB;YAChB,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBAChE,SAAS;YACX,CAAC;YAED,KAAK,MAAM,OAAO,IAAI,sBAAsB,EAAE,CAAC;gBAC7C,oBAAoB;gBACpB,OAAO,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC;gBAC5B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACvC,IAAI,KAAK,EAAE,CAAC;oBACV,UAAU,CAAC,IAAI,CAAC;wBACd,IAAI,EAAE,OAAO,GAAG,CAAC;wBACjB,MAAM,EAAE,KAAK,CAAC,KAAK;wBACnB,OAAO,EAAE,OAAO,CAAC,OAAO;wBACxB,QAAQ,EAAE,OAAO,CAAC,QAAQ;wBAC1B,UAAU,EAAE,OAAO,CAAC,UAAU;wBAC9B,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;wBACf,QAAQ;qBACT,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,UAAU,CAAC;IACpB,CAAC;CACF,CAAC,CAAC"}
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview Validate Content Security Policy headers configuration
|
|
3
|
+
*/
|
|
4
|
+
/**
|
|
5
|
+
* Check: security/csp-headers
|
|
6
|
+
*
|
|
7
|
+
* Validates Content Security Policy headers are properly configured.
|
|
8
|
+
* Prevents XSS and other injection attacks.
|
|
9
|
+
*/
|
|
10
|
+
export declare const cspHeaders: import("@opensip-cli/fitness").Check;
|
|
11
|
+
//# sourceMappingURL=csp-headers.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"csp-headers.d.ts","sourceRoot":"","sources":["../../../src/checks/security/csp-headers.ts"],"names":[],"mappings":"AAIA;;GAEG;AAqIH;;;;;GAKG;AACH,eAAO,MAAM,UAAU,sCA+DrB,CAAC"}
|
|
@@ -0,0 +1,192 @@
|
|
|
1
|
+
// @fitness-ignore-file no-eval -- String literals referencing eval()/Function() in CSP check descriptions and suggestions, not actual usage
|
|
2
|
+
// @fitness-ignore-file fitness-ignore-validation -- Fitness-ignore directives reference internal check IDs that may not be statically resolvable
|
|
3
|
+
// @fitness-ignore-file file-length-limit -- Complex module with tightly coupled logic; refactoring would risk breaking changes
|
|
4
|
+
// @fitness-ignore-file csp-headers -- Fitness check definition, not production CSP configuration
|
|
5
|
+
/**
|
|
6
|
+
* @fileoverview Validate Content Security Policy headers configuration
|
|
7
|
+
*/
|
|
8
|
+
import { logger } from '@opensip-cli/core';
|
|
9
|
+
import { defineCheck, isCommentLine } from '@opensip-cli/fitness';
|
|
10
|
+
/**
|
|
11
|
+
* Match unsafe-inline CSP directive
|
|
12
|
+
*/
|
|
13
|
+
function matchUnsafeInline(line) {
|
|
14
|
+
logger.debug({
|
|
15
|
+
evt: 'fitness.checks.csp_headers.match_unsafe_inline',
|
|
16
|
+
msg: 'Checking for unsafe-inline CSP directive',
|
|
17
|
+
});
|
|
18
|
+
return /['"`]unsafe-inline['"`]/i.exec(line);
|
|
19
|
+
}
|
|
20
|
+
/**
|
|
21
|
+
* Match unsafe-eval CSP directive
|
|
22
|
+
*/
|
|
23
|
+
function matchUnsafeEval(line) {
|
|
24
|
+
logger.debug({
|
|
25
|
+
evt: 'fitness.checks.csp_headers.match_unsafe_eval',
|
|
26
|
+
msg: 'Checking for unsafe-eval CSP directive',
|
|
27
|
+
});
|
|
28
|
+
return /['"`]unsafe-eval['"`]/i.exec(line);
|
|
29
|
+
}
|
|
30
|
+
/**
|
|
31
|
+
* Match wildcard in CSP directive
|
|
32
|
+
*/
|
|
33
|
+
function matchCspWildcard(line) {
|
|
34
|
+
logger.debug({
|
|
35
|
+
evt: 'fitness.checks.csp_headers.match_csp_wildcard',
|
|
36
|
+
msg: 'Checking for wildcard in CSP directive',
|
|
37
|
+
});
|
|
38
|
+
const lowerLine = line.toLowerCase();
|
|
39
|
+
const cspDirectives = ['default-src', 'script-src', 'style-src', 'img-src', 'connect-src'];
|
|
40
|
+
for (const directive of cspDirectives) {
|
|
41
|
+
if (lowerLine.includes(directive)) {
|
|
42
|
+
const match = /['"]\*['"]/i.exec(line);
|
|
43
|
+
if (match)
|
|
44
|
+
return match;
|
|
45
|
+
}
|
|
46
|
+
}
|
|
47
|
+
return null;
|
|
48
|
+
}
|
|
49
|
+
/**
|
|
50
|
+
* Match CSP config missing default-src
|
|
51
|
+
*/
|
|
52
|
+
function matchMissingDefaultSrc(line) {
|
|
53
|
+
logger.debug({
|
|
54
|
+
evt: 'fitness.checks.csp_headers.match_missing_default_src',
|
|
55
|
+
msg: 'Checking for missing default-src CSP directive',
|
|
56
|
+
});
|
|
57
|
+
const lowerLine = line.toLowerCase();
|
|
58
|
+
if (!lowerLine.includes('contentsecuritypolicy'))
|
|
59
|
+
return null;
|
|
60
|
+
if (lowerLine.includes('defaultsrc') || lowerLine.includes('default-src'))
|
|
61
|
+
return null;
|
|
62
|
+
// @fitness-ignore-next-line sonarjs-regular-expr -- Simple pattern with no backtracking; \s* followed by character class, then literal
|
|
63
|
+
return /contentSecurityPolicy\s*[:=]\s*\{/i.exec(line);
|
|
64
|
+
}
|
|
65
|
+
/**
|
|
66
|
+
* Match data: URI in script-src
|
|
67
|
+
*/
|
|
68
|
+
function matchDataUriInScriptSrc(line) {
|
|
69
|
+
logger.debug({
|
|
70
|
+
evt: 'fitness.checks.csp_headers.match_data_uri_in_script_src',
|
|
71
|
+
msg: 'Checking for data URI in script-src directive',
|
|
72
|
+
});
|
|
73
|
+
const lowerLine = line.toLowerCase();
|
|
74
|
+
if (!lowerLine.includes('script-src'))
|
|
75
|
+
return null;
|
|
76
|
+
return /['"`]data:['"`]/i.exec(line);
|
|
77
|
+
}
|
|
78
|
+
// Patterns that indicate CSP issues
|
|
79
|
+
const CSP_SECURITY_PATTERNS = [
|
|
80
|
+
// Unsafe inline scripts
|
|
81
|
+
{
|
|
82
|
+
match: matchUnsafeInline,
|
|
83
|
+
message: "CSP 'unsafe-inline' detected - avoid inline scripts/styles if possible",
|
|
84
|
+
suggestion: "Use nonces or hashes instead of 'unsafe-inline'. For scripts, use script-src 'nonce-{random}' and add nonce attribute to script tags. For styles, extract to external stylesheets.",
|
|
85
|
+
severity: 'warning',
|
|
86
|
+
},
|
|
87
|
+
// Unsafe eval
|
|
88
|
+
{
|
|
89
|
+
match: matchUnsafeEval,
|
|
90
|
+
message: "CSP 'unsafe-eval' detected - this allows eval() and similar dangerous functions",
|
|
91
|
+
suggestion: "Remove 'unsafe-eval' and refactor code that uses eval(), new Function(), or setTimeout/setInterval with string arguments. Use proper JSON parsing and precompiled templates.",
|
|
92
|
+
severity: 'error',
|
|
93
|
+
},
|
|
94
|
+
// Wildcard in CSP
|
|
95
|
+
{
|
|
96
|
+
match: matchCspWildcard,
|
|
97
|
+
message: 'CSP wildcard (*) directive detected - use specific origins',
|
|
98
|
+
suggestion: 'Replace wildcard (*) with specific trusted origins. For images/fonts, list CDN domains explicitly. For API calls, list your API domains.',
|
|
99
|
+
severity: 'warning',
|
|
100
|
+
},
|
|
101
|
+
// Missing default-src
|
|
102
|
+
{
|
|
103
|
+
match: matchMissingDefaultSrc,
|
|
104
|
+
message: 'CSP configuration may be missing default-src directive',
|
|
105
|
+
suggestion: 'Add default-src: ["\'self\'"] as a fallback policy. This restricts resources to same-origin by default unless overridden by more specific directives.',
|
|
106
|
+
severity: 'warning',
|
|
107
|
+
},
|
|
108
|
+
// data: URI in script-src (dangerous)
|
|
109
|
+
{
|
|
110
|
+
match: matchDataUriInScriptSrc,
|
|
111
|
+
message: "CSP script-src with 'data:' URI is dangerous - can execute arbitrary code",
|
|
112
|
+
suggestion: "Remove 'data:' from script-src. Data URIs in scripts allow arbitrary code execution, defeating the purpose of CSP. Move scripts to external files or use nonces.",
|
|
113
|
+
severity: 'error',
|
|
114
|
+
},
|
|
115
|
+
];
|
|
116
|
+
// Files likely to contain CSP configuration
|
|
117
|
+
const CSP_CONFIG_PATTERNS = ['helmet', 'contentsecuritypolicy', 'content-security-policy', 'csp'];
|
|
118
|
+
/**
|
|
119
|
+
* Check if content contains CSP configuration references
|
|
120
|
+
*/
|
|
121
|
+
function containsCspContent(content) {
|
|
122
|
+
logger.debug({
|
|
123
|
+
evt: 'fitness.checks.csp_headers.contains_csp_content',
|
|
124
|
+
msg: 'Checking if content contains CSP configuration references',
|
|
125
|
+
});
|
|
126
|
+
const lowerContent = content.toLowerCase();
|
|
127
|
+
return CSP_CONFIG_PATTERNS.some((pattern) => lowerContent.includes(pattern));
|
|
128
|
+
}
|
|
129
|
+
/**
|
|
130
|
+
* Check: security/csp-headers
|
|
131
|
+
*
|
|
132
|
+
* Validates Content Security Policy headers are properly configured.
|
|
133
|
+
* Prevents XSS and other injection attacks.
|
|
134
|
+
*/
|
|
135
|
+
export const cspHeaders = defineCheck({
|
|
136
|
+
id: 'ab02c5a5-881d-4004-a655-0ec73944bbe1',
|
|
137
|
+
slug: 'csp-headers',
|
|
138
|
+
disabled: true,
|
|
139
|
+
scope: { languages: ['typescript', 'tsx'], concerns: ['frontend', 'ui'] },
|
|
140
|
+
contentFilter: 'raw',
|
|
141
|
+
confidence: 'medium',
|
|
142
|
+
description: 'Validate Content Security Policy headers configuration',
|
|
143
|
+
longDescription: `**Purpose:** Validates that Content Security Policy (CSP) headers are configured securely, preventing XSS and code injection attacks.
|
|
144
|
+
|
|
145
|
+
**Detects:**
|
|
146
|
+
- \`'unsafe-inline'\` in CSP directives (allows inline scripts/styles)
|
|
147
|
+
- \`'unsafe-eval'\` in CSP directives (allows eval() and similar)
|
|
148
|
+
- Wildcard \`*\` in CSP source directives (default-src, script-src, style-src, img-src, connect-src)
|
|
149
|
+
- Missing \`default-src\` in contentSecurityPolicy configuration objects
|
|
150
|
+
- \`data:\` URI in script-src (allows arbitrary code execution)
|
|
151
|
+
|
|
152
|
+
**Why it matters:** Weak CSP directives undermine the primary browser defense against XSS. A properly configured CSP blocks injected scripts even when other defenses fail.
|
|
153
|
+
|
|
154
|
+
**Scope:** General best practice. Analyzes each file individually. Only scans files containing helmet, contentSecurityPolicy, or csp references.`,
|
|
155
|
+
tags: ['security', 'csp', 'headers', 'xss'],
|
|
156
|
+
fileTypes: ['ts'],
|
|
157
|
+
analyze(content, filePath) {
|
|
158
|
+
logger.debug({
|
|
159
|
+
evt: 'fitness.checks.csp_headers.analyze',
|
|
160
|
+
msg: 'Analyzing file for CSP header configuration issues',
|
|
161
|
+
});
|
|
162
|
+
// Only scan files that might contain CSP config
|
|
163
|
+
if (!containsCspContent(content)) {
|
|
164
|
+
return [];
|
|
165
|
+
}
|
|
166
|
+
const violations = [];
|
|
167
|
+
const lines = content.split('\n');
|
|
168
|
+
for (const [lineNum, line_] of lines.entries()) {
|
|
169
|
+
const line = line_ ?? '';
|
|
170
|
+
// Skip comments
|
|
171
|
+
if (isCommentLine(line)) {
|
|
172
|
+
continue;
|
|
173
|
+
}
|
|
174
|
+
for (const pattern of CSP_SECURITY_PATTERNS) {
|
|
175
|
+
const match = pattern.match(line);
|
|
176
|
+
if (match) {
|
|
177
|
+
violations.push({
|
|
178
|
+
line: lineNum + 1,
|
|
179
|
+
column: match.index,
|
|
180
|
+
message: pattern.message,
|
|
181
|
+
severity: pattern.severity,
|
|
182
|
+
suggestion: pattern.suggestion,
|
|
183
|
+
match: match[0],
|
|
184
|
+
filePath,
|
|
185
|
+
});
|
|
186
|
+
}
|
|
187
|
+
}
|
|
188
|
+
}
|
|
189
|
+
return violations;
|
|
190
|
+
},
|
|
191
|
+
});
|
|
192
|
+
//# sourceMappingURL=csp-headers.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"csp-headers.js","sourceRoot":"","sources":["../../../src/checks/security/csp-headers.ts"],"names":[],"mappings":"AAAA,4IAA4I;AAC5I,iJAAiJ;AACjJ,+HAA+H;AAC/H,iGAAiG;AACjG;;GAEG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAC3C,OAAO,EAAE,WAAW,EAAE,aAAa,EAAuB,MAAM,sBAAsB,CAAC;AAEvF;;GAEG;AACH,SAAS,iBAAiB,CAAC,IAAY;IACrC,MAAM,CAAC,KAAK,CAAC;QACX,GAAG,EAAE,gDAAgD;QACrD,GAAG,EAAE,0CAA0C;KAChD,CAAC,CAAC;IACH,OAAO,0BAA0B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC/C,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,IAAY;IACnC,MAAM,CAAC,KAAK,CAAC;QACX,GAAG,EAAE,8CAA8C;QACnD,GAAG,EAAE,wCAAwC;KAC9C,CAAC,CAAC;IACH,OAAO,wBAAwB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC7C,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CAAC,IAAY;IACpC,MAAM,CAAC,KAAK,CAAC;QACX,GAAG,EAAE,+CAA+C;QACpD,GAAG,EAAE,wCAAwC;KAC9C,CAAC,CAAC;IACH,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACrC,MAAM,aAAa,GAAG,CAAC,aAAa,EAAE,YAAY,EAAE,WAAW,EAAE,SAAS,EAAE,aAAa,CAAC,CAAC;IAC3F,KAAK,MAAM,SAAS,IAAI,aAAa,EAAE,CAAC;QACtC,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YAClC,MAAM,KAAK,GAAG,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACvC,IAAI,KAAK;gBAAE,OAAO,KAAK,CAAC;QAC1B,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAAC,IAAY;IAC1C,MAAM,CAAC,KAAK,CAAC;QACX,GAAG,EAAE,sDAAsD;QAC3D,GAAG,EAAE,gDAAgD;KACtD,CAAC,CAAC;IACH,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACrC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,uBAAuB,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9D,IAAI,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC;QAAE,OAAO,IAAI,CAAC;IACvF,uIAAuI;IACvI,OAAO,oCAAoC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACzD,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAAC,IAAY;IAC3C,MAAM,CAAC,KAAK,CAAC;QACX,GAAG,EAAE,yDAAyD;QAC9D,GAAG,EAAE,+CAA+C;KACrD,CAAC,CAAC;IACH,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACrC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC;QAAE,OAAO,IAAI,CAAC;IACnD,OAAO,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACvC,CAAC;AAED,oCAAoC;AACpC,MAAM,qBAAqB,GAAG;IAC5B,wBAAwB;IACxB;QACE,KAAK,EAAE,iBAAiB;QACxB,OAAO,EAAE,wEAAwE;QACjF,UAAU,EACR,oLAAoL;QACtL,QAAQ,EAAE,SAAkB;KAC7B;IACD,cAAc;IACd;QACE,KAAK,EAAE,eAAe;QACtB,OAAO,EAAE,iFAAiF;QAC1F,UAAU,EACR,8KAA8K;QAChL,QAAQ,EAAE,OAAgB;KAC3B;IACD,kBAAkB;IAClB;QACE,KAAK,EAAE,gBAAgB;QACvB,OAAO,EAAE,4DAA4D;QACrE,UAAU,EACR,0IAA0I;QAC5I,QAAQ,EAAE,SAAkB;KAC7B;IACD,sBAAsB;IACtB;QACE,KAAK,EAAE,sBAAsB;QAC7B,OAAO,EAAE,wDAAwD;QACjE,UAAU,EACR,uJAAuJ;QACzJ,QAAQ,EAAE,SAAkB;KAC7B;IACD,sCAAsC;IACtC;QACE,KAAK,EAAE,uBAAuB;QAC9B,OAAO,EAAE,2EAA2E;QACpF,UAAU,EACR,kKAAkK;QACpK,QAAQ,EAAE,OAAgB;KAC3B;CACF,CAAC;AAEF,4CAA4C;AAC5C,MAAM,mBAAmB,GAAG,CAAC,QAAQ,EAAE,uBAAuB,EAAE,yBAAyB,EAAE,KAAK,CAAC,CAAC;AAElG;;GAEG;AACH,SAAS,kBAAkB,CAAC,OAAe;IACzC,MAAM,CAAC,KAAK,CAAC;QACX,GAAG,EAAE,iDAAiD;QACtD,GAAG,EAAE,2DAA2D;KACjE,CAAC,CAAC;IACH,MAAM,YAAY,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAC3C,OAAO,mBAAmB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;AAC/E,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,MAAM,UAAU,GAAG,WAAW,CAAC;IACpC,EAAE,EAAE,sCAAsC;IAC1C,IAAI,EAAE,aAAa;IACnB,QAAQ,EAAE,IAAI;IACd,KAAK,EAAE,EAAE,SAAS,EAAE,CAAC,YAAY,EAAE,KAAK,CAAC,EAAE,QAAQ,EAAE,CAAC,UAAU,EAAE,IAAI,CAAC,EAAE;IACzE,aAAa,EAAE,KAAK;IAEpB,UAAU,EAAE,QAAQ;IACpB,WAAW,EAAE,wDAAwD;IACrE,eAAe,EAAE;;;;;;;;;;;iJAW8H;IAC/I,IAAI,EAAE,CAAC,UAAU,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,CAAC;IAC3C,SAAS,EAAE,CAAC,IAAI,CAAC;IAEjB,OAAO,CAAC,OAAe,EAAE,QAAgB;QACvC,MAAM,CAAC,KAAK,CAAC;YACX,GAAG,EAAE,oCAAoC;YACzC,GAAG,EAAE,oDAAoD;SAC1D,CAAC,CAAC;QACH,gDAAgD;QAChD,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,EAAE,CAAC;YACjC,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,UAAU,GAAqB,EAAE,CAAC;QACxC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAElC,KAAK,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,KAAK,CAAC,OAAO,EAAE,EAAE,CAAC;YAC/C,MAAM,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;YAEzB,gBAAgB;YAChB,IAAI,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxB,SAAS;YACX,CAAC;YAED,KAAK,MAAM,OAAO,IAAI,qBAAqB,EAAE,CAAC;gBAC5C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAClC,IAAI,KAAK,EAAE,CAAC;oBACV,UAAU,CAAC,IAAI,CAAC;wBACd,IAAI,EAAE,OAAO,GAAG,CAAC;wBACjB,MAAM,EAAE,KAAK,CAAC,KAAK;wBACnB,OAAO,EAAE,OAAO,CAAC,OAAO;wBACxB,QAAQ,EAAE,OAAO,CAAC,QAAQ;wBAC1B,UAAU,EAAE,OAAO,CAAC,UAAU;wBAC9B,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;wBACf,QAAQ;qBACT,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,UAAU,CAAC;IACpB,CAAC;CACF,CAAC,CAAC"}
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview Dependency Vulnerability Audit Check
|
|
3
|
+
*
|
|
4
|
+
* Runs the project's package-manager audit (pnpm/yarn/npm) and turns
|
|
5
|
+
* the result into fitness violations. Static-analysis tools like
|
|
6
|
+
* semgrep ship as separate checks (`semgrep-scan`).
|
|
7
|
+
*/
|
|
8
|
+
/**
|
|
9
|
+
* Check: security/dependency-vulnerability-audit
|
|
10
|
+
*
|
|
11
|
+
* Dependency vulnerability scanning via the project's package
|
|
12
|
+
* manager.
|
|
13
|
+
*/
|
|
14
|
+
export declare const dependencyVulnerabilityAudit: import("@opensip-cli/fitness").Check;
|
|
15
|
+
//# sourceMappingURL=dependency-vulnerability-audit.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"dependency-vulnerability-audit.d.ts","sourceRoot":"","sources":["../../../src/checks/security/dependency-vulnerability-audit.ts"],"names":[],"mappings":"AACA;;;;;;GAMG;AAQH;;;;;GAKG;AACH,eAAO,MAAM,4BAA4B,sCAiGvC,CAAC"}
|
|
@@ -0,0 +1,184 @@
|
|
|
1
|
+
// @fitness-ignore-file unused-config-options -- Config options reserved for future use or environment-specific
|
|
2
|
+
/**
|
|
3
|
+
* @fileoverview Dependency Vulnerability Audit Check
|
|
4
|
+
*
|
|
5
|
+
* Runs the project's package-manager audit (pnpm/yarn/npm) and turns
|
|
6
|
+
* the result into fitness violations. Static-analysis tools like
|
|
7
|
+
* semgrep ship as separate checks (`semgrep-scan`).
|
|
8
|
+
*/
|
|
9
|
+
import { defineCheck } from '@opensip-cli/fitness';
|
|
10
|
+
// =============================================================================
|
|
11
|
+
// CHECK DEFINITION
|
|
12
|
+
// =============================================================================
|
|
13
|
+
/**
|
|
14
|
+
* Check: security/dependency-vulnerability-audit
|
|
15
|
+
*
|
|
16
|
+
* Dependency vulnerability scanning via the project's package
|
|
17
|
+
* manager.
|
|
18
|
+
*/
|
|
19
|
+
export const dependencyVulnerabilityAudit = defineCheck({
|
|
20
|
+
id: '4dadedc7-24e6-4e36-b006-3f0ba93d55bb',
|
|
21
|
+
slug: 'dependency-vulnerability-audit',
|
|
22
|
+
scope: { languages: ['typescript'], concerns: ['backend'] },
|
|
23
|
+
confidence: 'medium',
|
|
24
|
+
description: 'Dependency vulnerability scanning via package manager audit',
|
|
25
|
+
longDescription: `**Purpose:** Runs dependency vulnerability scanning using the project's package manager (pnpm, yarn, or npm).
|
|
26
|
+
|
|
27
|
+
**Detects:**
|
|
28
|
+
- Critical and high severity vulnerabilities (reported as errors)
|
|
29
|
+
- Moderate severity vulnerabilities (reported as warnings)
|
|
30
|
+
- Auto-detects package manager from lockfile: pnpm-lock.yaml → pnpm, yarn.lock → yarn, otherwise npm
|
|
31
|
+
|
|
32
|
+
**Why it matters:** Automated security scanning catches known vulnerabilities in dependencies before they reach production, reducing the attack surface.
|
|
33
|
+
|
|
34
|
+
**Scope:** General best practice. Runs external tool (\`command\`): auto-detected \`audit --json\`. 3-minute timeout for longer scans.`,
|
|
35
|
+
tags: ['security', 'compliance', 'quality'],
|
|
36
|
+
fileTypes: ['ts', 'tsx'],
|
|
37
|
+
timeout: 180_000, // 3 minutes - security scans take longer
|
|
38
|
+
command: {
|
|
39
|
+
// Detect package manager: prefer pnpm > yarn > npm (matches lockfile present in cwd)
|
|
40
|
+
bin: 'sh',
|
|
41
|
+
args: [
|
|
42
|
+
'-c',
|
|
43
|
+
'if [ -f pnpm-lock.yaml ]; then pnpm audit --json 2>/dev/null; elif [ -f yarn.lock ]; then yarn audit --json 2>/dev/null; else npm audit --json 2>/dev/null; fi; exit 0',
|
|
44
|
+
],
|
|
45
|
+
expectedExitCodes: [0, 1], // audit tools return 1 when vulnerabilities found
|
|
46
|
+
/* v8 ignore start -- npm audit parse exercised via integration tests (requires lockfile + audit CLI) */
|
|
47
|
+
parseOutput(stdout, _stderr, _exitCode) {
|
|
48
|
+
const violations = [];
|
|
49
|
+
// Parse npm/pnpm audit results.
|
|
50
|
+
//
|
|
51
|
+
// The metadata totals roll up EVERY advisory including dev-only
|
|
52
|
+
// transitive ones (e.g. vitest → vite). Those don't ship to
|
|
53
|
+
// production. To avoid false-positives on dev-only chains, walk
|
|
54
|
+
// the per-advisory `findings[].paths[]` and reduce the count to
|
|
55
|
+
// advisories that have at least one non-dev path.
|
|
56
|
+
try {
|
|
57
|
+
const auditResult = JSON.parse(stdout);
|
|
58
|
+
// Filter to production-affecting advisories. A finding is
|
|
59
|
+
// production-affecting if it has at least one path whose
|
|
60
|
+
// `dev` flag is not true. Absence of metadata = treat as
|
|
61
|
+
// production (conservative).
|
|
62
|
+
const prodCounts = countProductionAdvisories(auditResult);
|
|
63
|
+
const count = prodCounts.critical + prodCounts.high + prodCounts.moderate;
|
|
64
|
+
if (count > 0) {
|
|
65
|
+
const severity = getNpmAuditSeverityFromCounts(prodCounts);
|
|
66
|
+
violations.push({
|
|
67
|
+
line: 1,
|
|
68
|
+
message: `npm audit found ${count} production-affecting vulnerabilities`,
|
|
69
|
+
severity: severity === 'critical' || severity === 'high' ? 'error' : 'warning',
|
|
70
|
+
suggestion: 'Run `npm audit fix` to automatically fix vulnerabilities, or `npm audit` for details. For breaking changes, manually update the affected packages. Dev-only transitive vulnerabilities (e.g. via vitest, eslint) are excluded from this count.',
|
|
71
|
+
type: `security-${severity}`,
|
|
72
|
+
match: 'npm-audit',
|
|
73
|
+
filePath: 'package.json',
|
|
74
|
+
});
|
|
75
|
+
}
|
|
76
|
+
}
|
|
77
|
+
catch {
|
|
78
|
+
// @swallow-ok Ignore parse errors
|
|
79
|
+
}
|
|
80
|
+
return violations;
|
|
81
|
+
},
|
|
82
|
+
/* v8 ignore stop */
|
|
83
|
+
},
|
|
84
|
+
});
|
|
85
|
+
/**
|
|
86
|
+
* Dev-only tooling packages whose transitive vulnerabilities never
|
|
87
|
+
* reach production. pnpm's `audit --json` does not populate the
|
|
88
|
+
* per-finding `dev` flag, so we infer dev status from the first hop
|
|
89
|
+
* of the dependency path.
|
|
90
|
+
*/
|
|
91
|
+
const DEV_ONLY_TOOL_ROOTS = new Set([
|
|
92
|
+
'vitest',
|
|
93
|
+
'@vitest/coverage-v8',
|
|
94
|
+
'eslint',
|
|
95
|
+
'eslint-plugin-import',
|
|
96
|
+
'eslint-plugin-sonarjs',
|
|
97
|
+
'eslint-plugin-unicorn',
|
|
98
|
+
'eslint-import-resolver-typescript',
|
|
99
|
+
'@typescript-eslint',
|
|
100
|
+
'typescript-eslint',
|
|
101
|
+
'turbo',
|
|
102
|
+
'knip',
|
|
103
|
+
'dependency-cruiser',
|
|
104
|
+
'tsx',
|
|
105
|
+
'tsup',
|
|
106
|
+
'jest',
|
|
107
|
+
'@jest',
|
|
108
|
+
'ink', // CLI UI testing - dev-time interactive surfaces
|
|
109
|
+
]);
|
|
110
|
+
function isPathProduction(p) {
|
|
111
|
+
// pnpm format: 'workspace__pkg>dep>subdep'. Split on '>' and check
|
|
112
|
+
// whether the first non-workspace hop is a known dev-only tool.
|
|
113
|
+
const segments = p.split('>');
|
|
114
|
+
for (const seg of segments) {
|
|
115
|
+
if (seg.startsWith('packages__'))
|
|
116
|
+
continue;
|
|
117
|
+
if (seg === '.')
|
|
118
|
+
continue;
|
|
119
|
+
if (DEV_ONLY_TOOL_ROOTS.has(seg))
|
|
120
|
+
return false;
|
|
121
|
+
// Also match scoped variants like '@vitest/coverage-v8' or
|
|
122
|
+
// '@typescript-eslint/<sub>'.
|
|
123
|
+
if (seg.startsWith('@')) {
|
|
124
|
+
const scope = seg.split('/')[0];
|
|
125
|
+
if (scope !== undefined && DEV_ONLY_TOOL_ROOTS.has(scope))
|
|
126
|
+
return false;
|
|
127
|
+
}
|
|
128
|
+
// First real dep encountered — if it's not in the dev-only list,
|
|
129
|
+
// treat this path as production-affecting.
|
|
130
|
+
return true;
|
|
131
|
+
}
|
|
132
|
+
return true;
|
|
133
|
+
}
|
|
134
|
+
function isProductionFinding(f) {
|
|
135
|
+
if (f.dev === true)
|
|
136
|
+
return false;
|
|
137
|
+
const paths = f.paths ?? [];
|
|
138
|
+
if (paths.length === 0)
|
|
139
|
+
return true;
|
|
140
|
+
return paths.some((p) => isPathProduction(p));
|
|
141
|
+
}
|
|
142
|
+
function countProductionAdvisories(audit) {
|
|
143
|
+
const counts = { critical: 0, high: 0, moderate: 0, low: 0 };
|
|
144
|
+
const advisories = audit.advisories;
|
|
145
|
+
const vulnerabilities = audit.vulnerabilities;
|
|
146
|
+
if (advisories) {
|
|
147
|
+
for (const adv of Object.values(advisories)) {
|
|
148
|
+
const sev = adv.severity ?? 'low';
|
|
149
|
+
const findings = adv.findings ?? [];
|
|
150
|
+
const isProd = findings.some((f) => isProductionFinding(f));
|
|
151
|
+
if (isProd)
|
|
152
|
+
counts[sev] += 1;
|
|
153
|
+
}
|
|
154
|
+
return counts;
|
|
155
|
+
}
|
|
156
|
+
if (vulnerabilities) {
|
|
157
|
+
for (const v of Object.values(vulnerabilities)) {
|
|
158
|
+
const sev = v.severity ?? 'low';
|
|
159
|
+
const via = v.via ?? [];
|
|
160
|
+
const isProd = via.some((entry) => typeof entry === 'string' || entry.dev !== true);
|
|
161
|
+
if (isProd)
|
|
162
|
+
counts[sev] += 1;
|
|
163
|
+
}
|
|
164
|
+
return counts;
|
|
165
|
+
}
|
|
166
|
+
// Fallback: no per-advisory detail — use the rolled-up totals.
|
|
167
|
+
const meta = audit.metadata?.vulnerabilities ?? {};
|
|
168
|
+
counts.critical = meta.critical ?? 0;
|
|
169
|
+
counts.high = meta.high ?? 0;
|
|
170
|
+
counts.moderate = meta.moderate ?? 0;
|
|
171
|
+
counts.low = meta.low ?? 0;
|
|
172
|
+
return counts;
|
|
173
|
+
}
|
|
174
|
+
function getNpmAuditSeverityFromCounts(counts) {
|
|
175
|
+
if (counts.critical > 0)
|
|
176
|
+
return 'critical';
|
|
177
|
+
if (counts.high > 0)
|
|
178
|
+
return 'high';
|
|
179
|
+
if (counts.moderate > 0)
|
|
180
|
+
return 'moderate';
|
|
181
|
+
return 'low';
|
|
182
|
+
}
|
|
183
|
+
/* v8 ignore stop */
|
|
184
|
+
//# sourceMappingURL=dependency-vulnerability-audit.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"dependency-vulnerability-audit.js","sourceRoot":"","sources":["../../../src/checks/security/dependency-vulnerability-audit.ts"],"names":[],"mappings":"AAAA,+GAA+G;AAC/G;;;;;;GAMG;AAEH,OAAO,EAAE,WAAW,EAAuB,MAAM,sBAAsB,CAAC;AAExE,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF;;;;;GAKG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAG,WAAW,CAAC;IACtD,EAAE,EAAE,sCAAsC;IAC1C,IAAI,EAAE,gCAAgC;IACtC,KAAK,EAAE,EAAE,SAAS,EAAE,CAAC,YAAY,CAAC,EAAE,QAAQ,EAAE,CAAC,SAAS,CAAC,EAAE;IAE3D,UAAU,EAAE,QAAQ;IACpB,WAAW,EAAE,6DAA6D;IAC1E,eAAe,EAAE;;;;;;;;;uIASoH;IACrI,IAAI,EAAE,CAAC,UAAU,EAAE,YAAY,EAAE,SAAS,CAAC;IAC3C,SAAS,EAAE,CAAC,IAAI,EAAE,KAAK,CAAC;IACxB,OAAO,EAAE,OAAO,EAAE,yCAAyC;IAE3D,OAAO,EAAE;QACP,qFAAqF;QACrF,GAAG,EAAE,IAAI;QACT,IAAI,EAAE;YACJ,IAAI;YACJ,wKAAwK;SACzK;QACD,iBAAiB,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,kDAAkD;QAE7E,wGAAwG;QACxG,WAAW,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS;YACpC,MAAM,UAAU,GAAqB,EAAE,CAAC;YAExC,gCAAgC;YAChC,EAAE;YACF,gEAAgE;YAChE,4DAA4D;YAC5D,gEAAgE;YAChE,gEAAgE;YAChE,kDAAkD;YAClD,IAAI,CAAC;gBA0BH,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAgB,CAAC;gBAEtD,0DAA0D;gBAC1D,yDAAyD;gBACzD,yDAAyD;gBACzD,6BAA6B;gBAC7B,MAAM,UAAU,GAAG,yBAAyB,CAAC,WAAW,CAAC,CAAC;gBAC1D,MAAM,KAAK,GAAG,UAAU,CAAC,QAAQ,GAAG,UAAU,CAAC,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC;gBAE1E,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;oBACd,MAAM,QAAQ,GAAG,6BAA6B,CAAC,UAAU,CAAC,CAAC;oBAC3D,UAAU,CAAC,IAAI,CAAC;wBACd,IAAI,EAAE,CAAC;wBACP,OAAO,EAAE,mBAAmB,KAAK,uCAAuC;wBACxE,QAAQ,EAAE,QAAQ,KAAK,UAAU,IAAI,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;wBAC9E,UAAU,EACR,gPAAgP;wBAClP,IAAI,EAAE,YAAY,QAAQ,EAAE;wBAC5B,KAAK,EAAE,WAAW;wBAClB,QAAQ,EAAE,cAAc;qBACzB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,kCAAkC;YACpC,CAAC;YAED,OAAO,UAAU,CAAC;QACpB,CAAC;QACD,oBAAoB;KACrB;CACF,CAAC,CAAC;AAUH;;;;;GAKG;AACH,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC;IAClC,QAAQ;IACR,qBAAqB;IACrB,QAAQ;IACR,sBAAsB;IACtB,uBAAuB;IACvB,uBAAuB;IACvB,mCAAmC;IACnC,oBAAoB;IACpB,mBAAmB;IACnB,OAAO;IACP,MAAM;IACN,oBAAoB;IACpB,KAAK;IACL,MAAM;IACN,MAAM;IACN,OAAO;IACP,KAAK,EAAE,iDAAiD;CACzD,CAAC,CAAC;AAEH,SAAS,gBAAgB,CAAC,CAAS;IACjC,mEAAmE;IACnE,gEAAgE;IAChE,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC9B,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,IAAI,GAAG,CAAC,UAAU,CAAC,YAAY,CAAC;YAAE,SAAS;QAC3C,IAAI,GAAG,KAAK,GAAG;YAAE,SAAS;QAC1B,IAAI,mBAAmB,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QAC/C,2DAA2D;QAC3D,8BAA8B;QAC9B,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAChC,IAAI,KAAK,KAAK,SAAS,IAAI,mBAAmB,CAAC,GAAG,CAAC,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAC;QAC1E,CAAC;QACD,iEAAiE;QACjE,2CAA2C;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,mBAAmB,CAAC,CAA+C;IAC1E,IAAI,CAAC,CAAC,GAAG,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IACjC,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;IAC5B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC;AAChD,CAAC;AAUD,SAAS,yBAAyB,CAAC,KAYlC;IACC,MAAM,MAAM,GAAwB,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;IAClF,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC;IACpC,MAAM,eAAe,GAAG,KAAK,CAAC,eAAe,CAAC;IAE9C,IAAI,UAAU,EAAE,CAAC;QACf,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;YAC5C,MAAM,GAAG,GAAG,GAAG,CAAC,QAAQ,IAAI,KAAK,CAAC;YAClC,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC;YACpC,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,mBAAmB,CAAC,CAAC,CAAC,CAAC,CAAC;YAC5D,IAAI,MAAM;gBAAE,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC/B,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,IAAI,eAAe,EAAE,CAAC;QACpB,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,EAAE,CAAC;YAC/C,MAAM,GAAG,GAAG,CAAC,CAAC,QAAQ,IAAI,KAAK,CAAC;YAChC,MAAM,GAAG,GAAG,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC;YACxB,MAAM,MAAM,GAAG,GAAG,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,GAAG,KAAK,IAAI,CAAC,CAAC;YACpF,IAAI,MAAM;gBAAE,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC/B,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,+DAA+D;IAC/D,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,EAAE,eAAe,IAAI,EAAE,CAAC;IACnD,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,CAAC,CAAC;IACrC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC;IAC7B,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,CAAC,CAAC;IACrC,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC;IAC3B,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,6BAA6B,CAAC,MAA2B;IAChE,IAAI,MAAM,CAAC,QAAQ,GAAG,CAAC;QAAE,OAAO,UAAU,CAAC;IAC3C,IAAI,MAAM,CAAC,IAAI,GAAG,CAAC;QAAE,OAAO,MAAM,CAAC;IACnC,IAAI,MAAM,CAAC,QAAQ,GAAG,CAAC;QAAE,OAAO,UAAU,CAAC;IAC3C,OAAO,KAAK,CAAC;AACf,CAAC;AAED,oBAAoB"}
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview Detect secrets exposed through env vars in logs/errors
|
|
3
|
+
*/
|
|
4
|
+
/**
|
|
5
|
+
* Check: security/env-secret-exposure
|
|
6
|
+
*
|
|
7
|
+
* Detects secrets that might be exposed through environment variables
|
|
8
|
+
* in logs or error messages.
|
|
9
|
+
*/
|
|
10
|
+
export declare const envSecretExposure: import("@opensip-cli/fitness").Check;
|
|
11
|
+
//# sourceMappingURL=env-secret-exposure.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"env-secret-exposure.d.ts","sourceRoot":"","sources":["../../../src/checks/security/env-secret-exposure.ts"],"names":[],"mappings":"AAIA;;GAEG;AAyEH;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,sCA+D5B,CAAC"}
|